I can't foresee a time I would want a user to just disappear entirely from a
system because their password is locked. I don't want locked users to be invisible, I
want them to be locked so they can't login. I still want NSS to know the users exist
so when someone does an 'ls -l' it doesn't just list numbers for them or if
they need to query email or phone number, it's still available. There are a lots of
reasons I can think why I need to lock an account to prevent a user from logging into a
given system, none that I can think of where I would want to user to 100% disappear
because their account is locked.
I understand how ACL's work and I don't see changing ACL's as a solution
to this problem. My RHEL admin's won't take kindly to me just making users
disappear on the their systems because their account is locked, they're funny that
way. They'd rather a message showed in syslog that says user X is locked when the
user tries to log in so they see it.
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi(a)epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward(a)epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi(a)epa.gov
From: Michael Ströder <michael(a)stroeder.com>
Sent: Wednesday, November 27, 2013 1:10 PM
To: Viviano, Brad; openldap-technical(a)openldap.org
Subject: Re: OpenLDAP with ppolicy and SSSD configuration question.
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have
to work within the bounds of what sssd offers.
I'm doing this with sssd and it's definitely not overkill
=> there's no valid excuse to not learn about ACLs
And it does not only work for applications/clients which support a custom
name-your-favourite-vendor-specific-lock-attribute-here. If done right ACLs
simply make entries invisible for sssd or *every* application integrated with
your LDAP server.